Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3d5665f986a...0e.exe
windows7-x64
10d5665f986a...0e.exe
windows10-2004-x64
10d5665f986a...0e.exe
android-9-x86
d5665f986a...0e.exe
android-10-x64
d5665f986a...0e.exe
android-11-x64
d5665f986a...0e.exe
macos-10.15-amd64
d5665f986a...0e.exe
ubuntu-18.04-amd64
d5665f986a...0e.exe
debian-9-armhf
d5665f986a...0e.exe
debian-9-mips
d5665f986a...0e.exe
debian-9-mipsel
Analysis
-
max time kernel
844s -
max time network
844s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/01/2025, 07:50
Static task
static1
Behavioral task
behavioral1
Sample
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral4
Sample
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe
Resource
android-x64-20240624-en
Behavioral task
behavioral5
Sample
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral6
Sample
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe
Resource
macos-20241106-en
Behavioral task
behavioral7
Sample
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral8
Sample
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral9
Sample
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral10
Sample
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe
Resource
debian9-mipsel-20240729-en
General
-
Target
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe
-
Size
60KB
-
MD5
e2184da5d001380387816a36ae4095b7
-
SHA1
1c95879965d58eb16555621a8be7a922cbb40962
-
SHA256
d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e
-
SHA512
c54d49ddd9dc1fdfde793228d89891f87fe477b30442ccb4bf2273a7f0c4996ce40185e3a7f47a60dea8ab9203e88f37d96fa517929e8b2eabaf2b3874947c1c
-
SSDEEP
1536:4rOaf+p9RTeoi6HLJ3Zi4jMdsSDclcbiGCq2iW7z:4rOa2TRxFY4jcDclceGCH
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/2068-25-0x0000000000920000-0x0000000000929000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral1/files/0x000e000000013b4c-4.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2068 qVDeOD.exe -
Loads dropped DLL 2 IoCs
pid Process 1660 d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe 1660 d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe qVDeOD.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe qVDeOD.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe qVDeOD.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe qVDeOD.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE qVDeOD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe qVDeOD.exe File opened for modification C:\Program Files\7-Zip\7z.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe qVDeOD.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe qVDeOD.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE qVDeOD.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe qVDeOD.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe qVDeOD.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe qVDeOD.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe qVDeOD.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE qVDeOD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe qVDeOD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe qVDeOD.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe qVDeOD.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe qVDeOD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qVDeOD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2068 1660 d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe 31 PID 1660 wrote to memory of 2068 1660 d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe 31 PID 1660 wrote to memory of 2068 1660 d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe 31 PID 1660 wrote to memory of 2068 1660 d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe 31 PID 2068 wrote to memory of 2672 2068 qVDeOD.exe 33 PID 2068 wrote to memory of 2672 2068 qVDeOD.exe 33 PID 2068 wrote to memory of 2672 2068 qVDeOD.exe 33 PID 2068 wrote to memory of 2672 2068 qVDeOD.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exeC:\Users\Admin\AppData\Local\Temp\d5665f986ad453b570358cf576667729875b5631bc9deb5a55308f9efd3d3c0e.exe cmd /c %TERMINATE% "DELETE"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\qVDeOD.exeC:\Users\Admin\AppData\Local\Temp\qVDeOD.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\58d0790c.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD53d0c21d6d2541f222e5516bb7e2a079a
SHA1478e09a31002f3117b12ac5150f822439eafcac1
SHA25605b5bb5626c659b621f684af5f1b817dc8c709f4bec0a53a9db79ddf2290be6e
SHA5126a1bca369b264feece59e4164b53b5efee3035099bd6066e2f9abd3ce1aff2bf3a1acdcc0cb0510eb440990ef59a1467ae0e77d4a729861910fefec8d5b00dce
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e